What is required for PCI SAQ C?
PCI DSS SAQ C is aimed explicitly at vendors who process cardholder data through internet-connected payment applications but do not store any cardholder data. The PCI Self-Assessment Questionnaire (SAQ) C is designed for merchants with internet-connected payment application systems.
PCI SAQ C merchants process cardholder data with point of sale (POS) systems or other internet-connected payment application systems, and do not store cardholder data on any computer system. PCI SAQ C member merchants can perform transactions with or without a card.
See Also: Choosing the Right PCI DSS SAQ
You can check our PCI DSS SAQ article to review all PCI SAQ types and get detailed information.
Who applies to PCI SAQ C?
The Self-Assessment Questionnaire C is a long-form consisting of 160 questions. Therefore, it is crucial to make sure that it is right for you before filling in SAQ C so that you do not waste any extra effort and time.
Before choosing PCI SAQ C, you should ask yourself whether you are storing any card data in electronic form. Because keeping the card data means you are not suitable for SAQ C. You can refer to SAQ D if you are storing card data electronically.
To comply with PCI SAQ C, the merchant must process the cardholder data via mail/telephone orders where the card is not physically present, or the point of sale terminals (POS) where the card is physically present.
In short, SAQ C is for merchants that have a single point of sale or a single store location with an internet-connected payment system. The POS or payment system must be on the same device or LAN as the internet and must not be connected to any other network.
If a LAN is set up for the POS environment, it should be for only one location and not be connected to any other facility or network. Also, only paper records should be kept, and cardholder data should not be stored.
You must complete PCI SAQ C if you have the following qualifications:
- If your company has an Internet connection and payment application system on the same device or local area network (LAN)
- If the payment processing system in your environment is not connected to any other system
- POS environment is not connected to any other location and if any LAN is for one site only
- Your company keeps some cardholder information on paper, and these records are not received electronically
- If your company does not store cardholder information in electronic form
It should be noted that SAQ C is not valid for e-commerce merchants.
What is the difference between SAQ C and SAQ C-VT?
PCI SAQ C-VT applies to businesses that process payments through virtual payment terminals. SAQ C, on the other hand, is valid for companies that are connected to the internet and that operate with isolated payment application systems that do not store electronic cardholder data.
What are the requirements of SAQ C?
PCI SAQ C focuses on all PCI DSS requirements, but some conditions require more focus than others.
- PCI DSS Requirement 1: Protect your data with a firewall
- PCI DSS Requirement 2: Do not use manufacturer-supplied defaults for system passwords and other security settings
- PCI DSS Requirement 3: Protect your stored cardholder data
- PCI DSS Requirement 4: Encrypt transfer of cardholder data over open, public networks
- PCI DSS Requirement 5: Protect all servers from malware
- PCI DSS Requirement 6: Develop secure applications and systems
- PCI DSS Requirement 7: Restrict access to cardholder data on a need-to-know basis
- PCI DSS Requirement 8: Define and control access to system components
- PCI DSS Requirement 9: Restrict physical access to cardholder data
- PCI DSS Requirement 10: Monitor any access to network resources and cardholder data
- PCI DSS Requirement 11: Regularly test security systems and processes
- PCI DSS Requirement 12: Establish information security policies for all employees
You can self-assess with PCI SAQ C if you meet the above conditions. PCI SAQ C covers all 12 total requirements, but some PCI DSS requirement items have been reduced.
What questions will you answer in SAQ C?
Although it seems complicated to answer each of the 160 questions asked in SAQ C, the fact that each item has its part that corresponds to the 12 requirements of the PCI DSS makes the process at least more comfortable.
PCI SAQ C has 160 questions in total. Here are a few examples of questions you should answer:
- Is inbound and outbound traffic limited to what is required for the data medium for the cardholder?
- Is the default information provided by manufacturers always changed before a system is installed on the network?
- Are sensitive authentication data deleted or made unavailable after the authorization phase?
- Do you only accept trusted keys or certificates?
- Are antivirus software installed on all systems commonly affected by malware?
- Are critical security patches applied within one month of being released?
- Are people given access privileges based on the classification and role of their job?
- Are all users given a unique ID to access system components or cardholder data before use?
- Are user passwords changed every 90 days?
- Are all media destroyed when not required for commercial or legal reasons?
- Are audit logs kept for at least a year?
- Are internal vulnerability scans performed quarterly?
- Is a list of service providers maintained with a description of the services provided?
How to Complete the PCI DSS Self-Assessment Questionnaire C?
There are several answers to each question on the SAQ C form that you can indicate your company’s status regarding the requirement. Your answers to the questions may be “Yes, No, Compensating Control or Not Applicable.” Only one answer should be chosen for each question.
You can complete the SAQ C form by following the steps below in order:
- First, determine the applicable SAQ for your environment.
- Confirm that the scope of your environment is defined correctly and meets the eligibility criteria for the SAQ you are using.
- Assess your environment to comply with the applicable PCI DSS requirements for SAQ C.
- Complete all required sections of the SAQ C form.
- Communicate the SAQ and Confirmation of Conformity (AOC), along with any other requested documentation, to the recipient, your payment brand, or other requestors.
Additional tips for filling your PCI SAQ C
Additional tips to consider when filling out PCI SAQ C are as follows:
Document everything: Make sure all policies and procedures are documented. Documenting policies and procedures allow you to manage everything and protect you from liability.
Segment your networks: By keeping your card data environment separate from the rest of your organization, you can reduce your PCI coverage.
Speak to a Qualified Security Assessor: If you are not familiar with PCI, the best idea is to speak to someone who is experienced and knows the business. PCI experts will help you identify areas where security is lacking.
You can view the latest (version 3.2.1) PCI Self-Assessment Questionnaire C pdf form here.